How Europol’s reform enables ‘NSA-style’ surveillance operations

“More than 100 million”. That’s the number of encrypted messages that French and Dutch law enforcement announced they had collected after infiltrating Encrochat in 2020, a company selling encrypted communication services and devices, writes EDRi's Chloé Berthélémy.

By EDRi · June 30, 2021

“More than 100 million”. That’s the number of encrypted messages that French and Dutch law enforcement announced they had collected after infiltrating Encrochat in 2020, a company selling encrypted communication services and devices, writes Chloé Berthélémy.

Three months ago, police in Belgium and the Netherlands boasted about bringing down Sky ECC, a similar encrypted messaging service provider. These efforts gave them access to “up to a billion messages”.

On 8 June, it was the U.S. Federal Bureau of Investigation’s (FBI) turn to explain how they had deceived people into using ANOM, a communications platform that the law enforcement authority had built itself, in order to spy on people’s communications.

These police “success stories” reflect global and growing efforts by investigating authorities to develop and deploy ever more intrusive tools, also known as “government hacking”, in order to investigate illegal activity. This is evidenced by the recent adoption in several EU member states of specific laws to legalise hacking practices.

The infiltration of a network is extremely intrusive as it can provide access to a much greater amount of data than traditional investigative tools, as well as to extremely sensitive data (such as a person’s location and movements, all stored data like photos, etc.).

When a whole platform is targeted, everyone’s data is accessed and analysed, even persons who have no link to any criminal activity.

Such bulk data interception could potentially affect persons whose communications are protected by national laws (like lawyers, doctors and journalists) or users who have legitimate needs for strong privacy protection (like human rights defenders and whistleblowers).

As a result, the fundamental rights at stake are not restricted to the rights to data protection and privacy, but also include the right to a fair trial, media freedom and freedom of expression.

These concerns are compounded by law enforcement authorities having to make sense of terabytes of data gathered during bulk hacking operations. In these cases, the use of data-mining tools helps identify unknown potential suspects by the sheer volume of data.

However this requires sophisticated analytical technologies and expertise – resources that national authorities sometimes fail to possess.

Member states, therefore, rely on Europol’s capacities in “digital forensics” and big data analytics. The European agency for police cooperation acts as a centre of expertise and information sharing for all police forces in the European Union (EU).

However, an investigation by the European Data Protection Supervisor (EDPS) last year found Europol’s data practices unlawful. The EDPS discovered that in order to analyse large datasets transferred by member states to produce “criminal intelligence”, Europol was processing the data of individuals not linked in any capacity to any criminal activity.

Despite this being illegal under Europol’s current data processing rules, the agency’s methods remain unobstructed. Instead of suggesting solutions to bring Europol’s practices in line with its mandate, the Commission released a proposal in December 2020 to legalise them.

The proposed data-mining powers for Europol, which resembles the modus operandi of intelligence services such as the U.S. National Security Agency (NSA), could circumvent critical safeguards in criminal procedure law and obliterate any presumption of innocence.

It would also impact the right to non-discrimination as data-mining techniques rely on the prioritisation of certain characteristics which can be motivated by racialised assumptions and other discriminatory prejudices.

When Europol uses big data, it cannot exclude the possibility of its analysis having disproportionate impacts on racialised and marginalised groups.

The storage of innocent persons’ sensitive communications for months or even years in Europol’s databases,  will exacerbate Europol’s reputation as a powerful yet opaque and unaccountable agency.

This will further deteriorating public trust in EU institutions. Yet, the European Commission’s proposal does very little to remedy the current low level of judicial oversight and democratic accountability, which is fundamental to mitigate potential fundamental rights violations.

Europol is rarely subject to significant scrutiny of its operational work. The very fact that the agency itself had to inform the EDPS about its “serious compliance issues” highlights the powerlessness of its watchdogs.

The Joint Parliamentary Scrutiny Group, composed of Members of the European Parliament (MEPs) and national parliaments, cannot access sensitive information. Therefore, its capacities to effectively oversee Europol’s day-to-day work will likely remain incomplete and inconsequential after the reform.

The revision of Europol’s mandate, currently in the hands of the European Parliament and the Council, will certainly lead to severe fundamental rights interferences. These would include a push for increased uses of automated decision-making such as AI and profiling in law enforcement, further deepening the democratic deficit of the agency.

At a time where police abuse is increasingly watched and contested across Europe, the EU is unfortunately choosing to fuel opaque and unaccountable law enforcement powers.

Instead, European Digital Rights (EDRi) call for greater accountability and scrutiny mechanisms as well as strict legal boundaries to prevent Orwellian levels of state mass surveillance.

The article was first published by Euractiv here.

Image credit: Roel Wijnants/ Flickr (CC BY-NC 2.0)

(Contribution by: )

Chloé Berthélémy

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy